diff options
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/authorization/cedar_authorizer_test.rs | 149 | ||||
| -rw-r--r-- | tests/authorization/check_service_test.rs | 123 | ||||
| -rw-r--r-- | tests/authorization/mod.rs | 3 | ||||
| -rw-r--r-- | tests/authorization/server_test.rs | 46 | ||||
| -rw-r--r-- | tests/integration_test.rs | 2 | ||||
| -rw-r--r-- | tests/support/common.rs | 12 | ||||
| -rw-r--r-- | tests/support/factory_bot.rs | 74 | ||||
| -rw-r--r-- | tests/support/mod.rs | 2 |
8 files changed, 0 insertions, 411 deletions
diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs deleted file mode 100644 index 58563832..00000000 --- a/tests/authorization/cedar_authorizer_test.rs +++ /dev/null @@ -1,149 +0,0 @@ -#[cfg(test)] -mod tests { - use crate::support::factory_bot::*; - use crate::support::*; - use authzd::Authorizer; - use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest; - use std::collections::HashMap; - - fn subject() -> authzd::CedarAuthorizer { - common::setup(); - subject_with(cedar_policy::Entities::empty()) - } - - fn subject_with(entities: cedar_policy::Entities) -> authzd::CedarAuthorizer { - build_cedar_authorizer(entities) - } - - #[test] - fn test_cedar_authorizer_denies_missing_header() { - assert!( - !subject().authorize(build_request(|item: &mut HttpRequest| { - item.headers = HashMap::new(); - })) - ); - } - - #[test] - fn test_unauthenticated_sparkle_endpoints() { - let hosts = vec![ - "localhost:10000", - "sparkle.runway.gitlab.net", - "sparkle.staging.runway.gitlab.net", - ]; - - let routes = vec![ - ("GET", "/", true), - ("GET", "/callback", true), - ("GET", "/dashboard/nav", true), - ("GET", "/health", true), - ("GET", "/signout", true), - ("GET", "/sparkles", true), - ("POST", "/sparkles/restore", true), - ("GET", "/dashboard", false), - ("POST", "/sparkles", false), - ]; - - let authorizer = subject(); - for host in hosts { - for (method, path, expected) in &routes { - let request = build_request(|item: &mut HttpRequest| { - item.method = method.to_string(); - item.path = path.to_string(); - item.host = host.to_string(); - item.headers = build_headers(vec![ - (String::from(":path"), path.to_string()), - (String::from(":method"), method.to_string()), - (String::from(":authority"), host.to_string()), - ]); - }); - - assert_eq!( - authorizer.authorize(request), - *expected, - "{} {}", - method, - path - ); - } - } - } - - // TODO:: Add entities to represent access to: - // * list of sparkles: `:read, gid://sparkle/Sparkle/*` - // * single sparkle: `:read, gid://sparkle/Sparkle/:id` - // * create sparkle: `:create, gid://sparkle/Sparkle/*` - // * update sparkles: `:update, gid://sparkle/Sparkle/*` - // * update single sparkle: `:update, gid://sparkle/Sparkle/:id` - // * delete sparkles: `:delete, gid://sparkle/Sparkle/*` - // * delete single sparkle: `:delete, gid://sparkle/Sparkle/:id` - #[test] - fn test_authenticated_create_sparkle() { - let request = build_request(|item: &mut HttpRequest| { - item.method = "POST".to_string(); - item.path = "/sparkles".to_string(); - item.host = "sparkle.staging.runway.gitlab.net".to_string(); - item.headers = build_headers(vec![ - (String::from(":path"), item.path.to_string()), - (String::from(":method"), item.method.to_string()), - (String::from(":authority"), item.host.to_string()), - (String::from("x-jwt-claim-sub"), "1675940".to_string()), - ]); - }); - - let mut attrs = std::collections::HashMap::new(); - attrs.insert( - "username".to_string(), - cedar_policy::RestrictedExpression::new_string("tanuki".to_string()), - ); - let user = build_user("1675940", attrs); - let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); - let authorizer = subject_with(entities); - assert!(authorizer.authorize(request.clone())); - - let mut attrs = std::collections::HashMap::new(); - attrs.insert( - "username".to_string(), - cedar_policy::RestrictedExpression::new_string("root".to_string()), - ); - let user = build_user("1", attrs); - let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); - let authorizer = subject_with(entities); - assert!(!authorizer.authorize(request.clone())); - } - - #[test] - fn test_sparkle_homepage() { - let request = build_request(|item: &mut HttpRequest| { - item.method = "GET".to_string(); - item.path = "/".to_string(); - item.host = "localhost:10000".to_string(); - item.headers = build_headers(vec![ - (String::from(":path"), item.path.to_string()), - (String::from(":method"), item.method.to_string()), - (String::from(":authority"), item.host.to_string()), - ]); - }); - - let authorizer = subject(); - assert_eq!(authorizer.authorize(request), true); - } - - #[test] - fn test_sparkle_dashboard() { - let request = build_request(|item: &mut HttpRequest| { - item.method = "GET".to_string(); - item.path = "/dashboard".to_string(); - item.host = "localhost:10000".to_string(); - item.headers = build_headers(vec![ - (String::from("x-jwt-claim-sub"), "1".to_string()), - (String::from(":path"), item.path.to_string()), - (String::from(":method"), item.method.to_string()), - (String::from(":authority"), item.host.to_string()), - ]); - }); - - let authorizer = subject(); - assert_eq!(authorizer.authorize(request), true); - } -} diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs deleted file mode 100644 index 3db0ec9e..00000000 --- a/tests/authorization/check_service_test.rs +++ /dev/null @@ -1,123 +0,0 @@ -#[cfg(test)] -mod tests { - use crate::support::factory_bot::*; - use authzd::CheckService; - use envoy_types::ext_authz::v3::pb::Authorization; - use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest; - use std::sync::Arc; - - fn subject() -> CheckService { - CheckService::new(Arc::new(build_cedar_authorizer( - cedar_policy::Entities::empty(), - ))) - } - - #[tokio::test] - async fn test_no_headers() { - let request = tonic::Request::new(build_request(|_http| {})); - - let response = subject().check(request).await; - assert!(response.is_ok()); - - let check_response = response.unwrap().into_inner(); - assert!(check_response.status.is_some()); - - let status = check_response.status.unwrap(); - assert_eq!( - tonic::Code::from_i32(status.code), - tonic::Code::Unauthenticated - ); - } - - #[tokio::test] - async fn test_static_assets() { - let routes = vec![ - ("GET", "/app.js", tonic::Code::Ok), - ("GET", "/application.js", tonic::Code::Ok), - ("GET", "/favicon.ico", tonic::Code::Ok), - ("GET", "/favicon.png", tonic::Code::Ok), - ("GET", "/image.jpg", tonic::Code::Ok), - ("GET", "/assets/image.jpg", tonic::Code::Ok), - ("GET", "/assets/style.css", tonic::Code::Ok), - ("GET", "/assets/application.js", tonic::Code::Ok), - ("GET", "/htmx.js", tonic::Code::Ok), - ("GET", "/index.html", tonic::Code::Ok), - ("GET", "/logo.png", tonic::Code::Ok), - ("GET", "/pico.min.css", tonic::Code::Ok), - ("GET", "/vue.global.js", tonic::Code::Ok), - ]; - - for (method, path, expected_status_code) in &routes { - let request = tonic::Request::new(build_request(|item: &mut HttpRequest| { - item.method = method.to_string(); - item.path = path.to_string(); - item.host = "localhost:3000".to_string(); - item.headers = build_headers(vec![ - (String::from(":path"), item.path.to_string()), - (String::from(":method"), item.method.to_string()), - (String::from(":authority"), item.host.to_string()), - ]); - })); - - let response = subject().check(request).await; - assert!(response.is_ok()); - - let check_response = response.unwrap().into_inner(); - assert!(check_response.status.is_some()); - - let status = check_response.status.unwrap(); - assert_eq!(tonic::Code::from_i32(status.code), *expected_status_code); - } - } - - #[tokio::test] - async fn test_public_sparkle_endpoints() { - let hosts = vec![ - "localhost:10000", - "sparkle.runway.gitlab.net", - "sparkle.staging.runway.gitlab.net", - ]; - - let routes = vec![ - ("GET", "/", tonic::Code::Ok), - ("GET", "/callback", tonic::Code::Ok), - ("GET", "/dashboard/nav", tonic::Code::Ok), - ("GET", "/health", tonic::Code::Ok), - ("GET", "/signout", tonic::Code::Ok), - ("GET", "/sparkles", tonic::Code::Ok), - ("POST", "/sparkles/restore", tonic::Code::Ok), - ("GET", "/dashboard", tonic::Code::Unauthenticated), - ("POST", "/sparkles", tonic::Code::Unauthenticated), - ]; - - for host in hosts { - for (method, path, expected_status_code) in &routes { - let request = tonic::Request::new(build_request(|item: &mut HttpRequest| { - item.method = method.to_string(); - item.path = path.to_string(); - item.host = host.to_string(); - item.headers = build_headers(vec![ - (String::from(":path"), path.to_string()), - (String::from(":method"), method.to_string()), - (String::from(":authority"), host.to_string()), - ]); - })); - - let response = subject().check(request).await; - assert!(response.is_ok()); - - let check_response = response.unwrap().into_inner(); - assert!(check_response.status.is_some()); - - let status = check_response.status.unwrap(); - assert_eq!( - tonic::Code::from_i32(status.code), - *expected_status_code, - "{} {}", - method, - path - ); - } - } - } -} diff --git a/tests/authorization/mod.rs b/tests/authorization/mod.rs deleted file mode 100644 index 675247d4..00000000 --- a/tests/authorization/mod.rs +++ /dev/null @@ -1,3 +0,0 @@ -mod cedar_authorizer_test; -mod check_service_test; -mod server_test; diff --git a/tests/authorization/server_test.rs b/tests/authorization/server_test.rs deleted file mode 100644 index 5a92dcff..00000000 --- a/tests/authorization/server_test.rs +++ /dev/null @@ -1,46 +0,0 @@ -#[cfg(test)] -mod tests { - use crate::support::factory_bot::*; - use std::net::SocketAddr; - use tokio::net::TcpListener; - - async fn available_port() -> SocketAddr { - let listener = TcpListener::bind("127.0.0.1:0") - .await - .expect("Failed to bind to random port"); - let addr = listener.local_addr().expect("Failed to get local address"); - drop(listener); - addr - } - - async fn start_server() -> (SocketAddr, tokio::task::JoinHandle<()>) { - let addr = available_port().await; - let server = authzd::authorization::Server::default(); - - let handle = tokio::spawn(async move { - server.serve(addr).await.expect("Failed to start server"); - }); - - tokio::time::sleep(tokio::time::Duration::from_millis(100)).await; - - (addr, handle) - } - - #[tokio::test] - async fn test_health_ext_authz_service() { - let (addr, server) = start_server().await; - - let mut client = build_rpc_client( - addr, - envoy_types::pb::envoy::service::auth::v3::authorization_client::AuthorizationClient::new, - ) - .await; - - let request = tonic::Request::new(envoy_types::ext_authz::v3::pb::CheckRequest::default()); - let response = client.check(request).await; - - assert!(response.is_ok()); - - server.abort(); - } -} diff --git a/tests/integration_test.rs b/tests/integration_test.rs deleted file mode 100644 index c17d8e65..00000000 --- a/tests/integration_test.rs +++ /dev/null @@ -1,2 +0,0 @@ -mod authorization; -mod support; diff --git a/tests/support/common.rs b/tests/support/common.rs deleted file mode 100644 index 8db5c52b..00000000 --- a/tests/support/common.rs +++ /dev/null @@ -1,12 +0,0 @@ -use std::sync::Once; - -static INIT: Once = Once::new(); - -pub fn setup() { - INIT.call_once(|| { - tracing_subscriber::fmt() - .with_test_writer() - .with_max_level(tracing::Level::WARN) - .init(); - }); -} diff --git a/tests/support/factory_bot.rs b/tests/support/factory_bot.rs deleted file mode 100644 index ba0d9c38..00000000 --- a/tests/support/factory_bot.rs +++ /dev/null @@ -1,74 +0,0 @@ -use envoy_types::ext_authz::v3::pb::CheckRequest; -use envoy_types::pb::envoy::service::auth::v3::AttributeContext; -use envoy_types::pb::envoy::service::auth::v3::attribute_context::{HttpRequest, Request}; -use std::collections::HashMap; -use std::net::SocketAddr; -use std::str::FromStr; -use tonic::transport::Channel; - -#[allow(dead_code)] -pub fn build<T: Default>() -> T { - please::build() -} - -pub fn build_with<T, F>(initializer: F) -> T -where - T: Default, - F: std::ops::FnOnce(&mut T), -{ - please::build_with(initializer) -} - -pub fn build_request(f: impl std::ops::FnOnce(&mut HttpRequest)) -> CheckRequest { - build_with(|item: &mut CheckRequest| { - item.attributes = Some(please::build_with(|item: &mut AttributeContext| { - item.request = Some(please::build_with(|item: &mut Request| { - item.http = Some(please::build_with(|item: &mut HttpRequest| f(item))); - })); - })); - }) -} - -pub fn build_headers(headers: Vec<(String, String)>) -> HashMap<String, String> { - build_with(|item: &mut HashMap<String, String>| { - for (key, value) in headers { - item.insert(key, value); - } - }) -} - -pub fn build_cedar_authorizer(entities: cedar_policy::Entities) -> authzd::CedarAuthorizer { - let realpath = std::fs::canonicalize("./etc/authzd").unwrap(); - let path = realpath.as_path(); - authzd::CedarAuthorizer::new_from(path, entities) -} - -pub async fn build_channel(addr: SocketAddr) -> Channel { - Channel::from_shared(format!("http://{}", addr)) - .expect("Failed to create channel") - .connect() - .await - .expect("Failed to connect to server") -} - -pub async fn build_rpc_client<T, F>(addr: SocketAddr, f: F) -> T -where - F: FnOnce(Channel) -> T, -{ - f(build_channel(addr).await) -} - -pub fn build_user( - id: &str, - attrs: std::collections::HashMap<String, cedar_policy::RestrictedExpression>, -) -> cedar_policy::Entity { - cedar_policy::Entity::new( - cedar_policy::EntityUid::from_type_name_and_id( - cedar_policy::EntityTypeName::from_str("User").unwrap(), - cedar_policy::EntityId::from_str(id).unwrap(), - ), - attrs, - std::collections::HashSet::new(), - ) - .unwrap() -} diff --git a/tests/support/mod.rs b/tests/support/mod.rs deleted file mode 100644 index c46f39e5..00000000 --- a/tests/support/mod.rs +++ /dev/null @@ -1,2 +0,0 @@ -pub mod common; -pub mod factory_bot; |